In the previous blog, we discussed the management of system configuration and in this blog, we will try to understand how media should be protected and why is it important to do so. As discussed in previous blogs, access of electronic and physical media in all of its forms should be restricted only to authorized personnel and the agency should maintain a CJIS Compliance media protection policy and the procedures should be documented. There should be a concrete set of procedures defined for the purpose of securely transporting, handling and storing media.
Media Storage and Access
The agency should store physical and electronic media securely in controlled areas or physically secure locations. Access to electronic and physical media should be restricted only to authorized personnel. If in case both personnel and physical restrictions can’t be applied due to any constraints, the data should be encrypted. The standards of encryption would be discussed as a part of a dedicated blog later.
Transport of media is an important aspect and agencies should ensure that they protect and control physical and electronic media during it transport outside the controlled areas. Furthermore, agencies should also ensure that the media is not transported to authorized personnel.
- Digital Media during Transport
Agencies should make sure that the digital media containing criminal justice information while in transit (physical movement from one location to another) should be protected in order to prevent compromise of sensitive data. The best possible way to secure data is by encrypting it. If in case, encryption is not possible, then the agency should put in place physical controls to ensure that the data is secure.
- Physical Media in Transit
Similar security measures and controls need to be applied to CJI in physical form. Physical media includes printed imagery, printed documents among others. Information in physical form should be protected on par with protection given to digital media.
Electronic Media Sanitization and Disposal
Not just media protection, but the agencies should ensure that the electronic media is sanitized before disposal. That means that the electronic media should be overwritten at least three times or degaussed. The same procedure should be followed even if the media is being released for reuse by unauthorized personnel. Inoperable data should either be shredded or cut up to ensure that it can’t be misused. A written documentation of the steps taken to sanitize and destroy electronic media should be maintained by the agency. Furthermore, agencies should ensure that the process of sanitization and destruction should be done in the presence of authorized personnel.
Disposal of Physical Media
Disposable of physical media is also important and the agency would need to dispose of physical media that is no longer of use to the agency. Formal procedures governing the secure destruction and disposal of physical media need to be followed to dispose of physical media. This physical media can be disposed by incineration or shredding and once again, disposal of physical media should be done by or under the supervision of authorized personnel only as per CJIS Compliance Media Protection policy.
In the next blog, we will understand the next policy – Physical Protection
DoubleHorn is one of the leading Cloud Solutions Providers founded in January 2005 and based in Austin, Texas. We offer secured Cloud solutions that meet all major compliance requirements like HIPAA, CJIS, FedRAMP, FIPS, ITAR, FERPA etc. Our services, as a Cloud Services Broker, include helping in selecting the right Cloud solution, implementing, maintaining and also offering a single source for billing and support. Contact us for a complimentary initial assessment at email@example.com or (855) 618-6423.